From nmap, there are lots of ports opened.
It is the web page on port 80, and it runs Elastix.
I tried to use one of the exploit in searchsploit. It is a LFI for Elastix 2.2.0.
It actually works, and I got the credential.
I successfully login to Elastix with the credential.
And I found that I can also access ssh as root with the credential.